Revealed: PDA security risks - and what to do about them (part two)

NEWS Actions to Minimise Threat Implement a clear policy
Companies should introduce clear, strictly enforced and centralised policies to control PDA use within a business environment, similar to the mobile phone policies many already have in place. Examples of measures this might include are: - Guidelines about what data can and cannot be stored on mobile devices
- Rules about registering your PDA centrally before using it to store corporate data
- Outlining employee responsibilities for the protection of data
- Rules about what security measures (for example passwords, encryption, firewalls and anti-virus software) need to be employed before a device can be used to store corporate data. Use the right technology
In cases where data is allowed to be stored on mobile devices, adequate security should be provided and security policies must be supported by the IT infrastructure. For example: - All PDAs should be armed with strong security measures, authentication and data encryption
- Biometric solutions such as signature recognition, fingerprint recognition and voice recognition can be used. These are more secure than the traditional password/PIN approach as they cannot be guessed, stolen or copied
- Automatic deletion software that can be programmed to delete data if, for example, a password is entered incorrectly a pre-defined number of times
- PDA mirrors can be installed on the screen to prevent people looking over a user's shoulder to memorise passwords. Educate employees
It is vital to educate employees about the risks associated with PDAs, for example: - Using PDAs to store sensitive data
- Leaving devices unattended
- Plugging devices into unknown and possibly infected machines
- Using simple passwords or writing passwords down
- Not installing virus software onto mobile devices
- Not informing their employer of what device they are using and the kinds of data they are storing on it Analyse the risk
Mobile policies should be based on an analysis of the risks facing the organisation. Know who is on your network
Companies must ensure they can identify an "object" using the network. That "object" can be a user, a device, a system or an application. Invalid users can then be blocked from the network if they pose a security threat. Monitor unusual behavior
The flow of information from PDAs within the organisation and across organisational boundaries must be controlled and monitored to identify any unusual activity, for example, repeated failed log-in attempts. Know what information is being stored
Companies should inspect the content of information being sent and received via mobile devices to ensure it is not in breach of the organisational policy. Don't assume mobile doesn't matter
Mobile security policies should be as rigorous and strategic as desktop security. Security is only as good as the weakest link in the chain.